Bash recursion insecurity

Kevin Day thekevinday at
Sat Sep 23 22:25:53 PDT 2006

I've been thinking about the well known recursive security issues with
a program calling itself over and over again. In this case, with bash.

Something like:

$  #!/bin/bash
$  $0 &
$  $0 &
$  exec $0 # just for kicks

or a chain-recursion:

$ #!/bin/bash
$  ./some_script_that_calls_another_script &

$  #!/bin/bash
$ ./the_other_script_that_calls_this_script &

I've been wondering if I should make a patch for patch that extends
some sort of memory (double-pointed list?) so that when bash executes
commands from child scripts, it will not allow the parent script to be

1) I am not very familiar with bash's source design to impliment this
effeciently & properly
2) I can see some landmines such as actually knowing that the script
being called is being a the following example:
  / someotherdir/bin/program_to_call
  where /dev/somepartition is mounted on both /somedir and /someotherdir
3) Does bash even allow the children to see parent information
  I can see a fix for this, perhaps using shared memory, or secretly
passing arguments to all children and "exec" calls?
4) some people, perhaps isolated embeded systems, may actually need
recursion in this manner
 I can see a fix for this by doing #ifdefs and a compile time
5) There will be a security issue introduced if the size of the
list/arrary is not controlled/limited.

Any ideas?
Is this something already done somewhere?
Anybody familair with bash's source structure?

The limits may stop this from going insane, but it still puts pressure
on the system by wasting resources.  I'd rather prevent this
altogethor, but at the same time it will remove the fun joke on new
programmers/users who sit at a terminal spitting out "Muahahahahaha!"
over and over..

rough design idea:

[[[ STRUCT Dynamic Linked List (bi-directional) ]]]
[ calloced arrary based on prog name (with a MAXSIZE of some sort) ]
[ void * previous list ]
[ void * next list ]
[[[ END STRUCT ]]]

  match = look for a match in the parent program names, on find, deny call/exec
  push = add the name to the list prior to allowing call/exec (at end of list)
  pop = when call quits/exits remove from list and reattach any broken lists
  pass = an exec needs this data, make sure it gets it..somehow

Kevin Day

More information about the hlfs-dev mailing list